Information recording medium, data processing method, and computer program

ABSTRACT

The present invention provides a configuration for preventing each entity code stored in information recording media from being leaked. Authoring studio code (ASC) and disc manufacturer code (DMC) are encrypted without failure and the encrypted codes are stored in information recording media. The data setting location in program map table (PMT) is controlled such that these entity codes will not overlap the seed area that provides key generating information, so that, if the packet storing the program map table storing authoring studio code (ASC) and disc manufacturer code (DMC) is set to an arbitrary position in a content packet sequence, these entity codes will not overlap the seed area that is non-encrypted data, thereby preventing these entity codes from being leaked outside.

TECHNICAL FIELD

The present invention relates generally to an information recordingmedium, a data processing method, and a computer program. Moreparticularly, the present invention relates to an information recordingmedium, a data processing method, and a computer program that preventthe unauthorized use of content based on the illegal copy of informationrecording media on which content is recorded.

BACKGROUND ART

Recently, various kinds of audio data of music and so on, image data ofmovies and so on, game programs, application programs and software data(these data will hereafter generically referred to as content) aredistributed through various kinds of information recording media such asCD (Compact Disc), DVD (Digital Versatile Disc), and MD (Mini Disc).These kinds of distributed content are reproduced for use on user's PC(Personal Computer), CD player, DVD player, MD player and otherreproduction devices, and game machine, for example.

The distribution rights and other rights of many items of content suchas music data and image data are generally owned by their producers orsellers. Therefore, it is a general practice in the distribution ofcontent to impose certain restrictions on its use, namely, allow onlyauthorized users to use content, thereby preventing the illegal copy ofcontent for example from being practiced.

Recently, recording devices and recording media for recordinginformation in a digital manner have been gaining popularity. Thesedigital recording devices and recording media are capable of repeatedlyrecording and reproducing images and sounds for example withoutdeterioration, thereby presenting a problem of the mass distribution ofillegal copy content via the Internet and so-called pirated discsproduced by replicating content onto CD-R and other recordable discs.

Recently developed DVD technology for example allows a huge amount ofdata of a whole movie for example to be recorded on a single disc asdigital information. This situation makes it increasingly important toprotect the copyright of content by preventing illegal copy.

The illegal copy of movie content is actually taking place. Therefore,with HD (High Definition) digital video cameras and HD digital videodisc recorders expected to soon become reality in the consumer market,it is easily conceivable that leaving the above-mentioned problemunsolved would seriously damage the benefit of copyright holders.

Cases of illegal copy of content include the following for example:

<1. Videotaping and Theft at Movie Theater and Theft From Content Owner>

It is practiced that a newly released film movie being play in a movietheater is videotaped with a digital video camera and the video-tapedmovie is used as the source of DVD-video which is a ROM. It is alsopracticed to convert a movie film for movie theater by the telecineprocess into base-band video signal which is used as a source tomanufacture pirated DVD-video ROMs without paying the price of the moviefilm and without the permission of the copyright holder.

In another case, the content obtained by recording a movie film owned bya content owner onto a HDD by the telecine process without permission ofthe owner. The recorded content is brought to DVD manufacturingfacilities to produce DVD-video ROMs.

<2. Theft From Authoring Studio>

In the process of authoring which is ordered by a content owner, contentmay be stolen. The stolen content is brought to DVD manufacturingfacilities to produce DVD-video ROMs.

<3. Replication From Authorized DVD-video (By Use of Code-breakingTechnique)>

DVD players use CSS (Content Scramble System) for example as a techniquefor preventing unauthorized content use. In CSS, video data and audiodata are recorded as encrypted on a DVD-ROM (Read Only Memory) and thedecryption key for these encrypted data is given to each licensed DVDplayer. The license is granted to each DVD player that is designed tocomply with a predetermined operation standard against illegal copy andso on. Therefore, each licensed DVD player can decrypt the encrypteddata recorded on a DVD-ROM by use of the granted decryption key toreproduce images and sounds from the DVD-ROM.

On the other hand, unlicensed DVD players have no key for decryptingencrypted data and therefore cannot decrypt the encrypted data recordedto a DVD-ROM. Thus, in the CSS configuration, the DVD players notsatisfying the conditions required at licensing cannot record digitaldata and reproduce DVD-ROMS, thereby preventing illegal copy frompracticing.

However, DeCSS software for breaking CSS encryption has recently beenspreading through the Internet. Anyone can easily get this software,break the encryption of content, and write the decrypted content torecordable DVDs in the form of plaintext. Therefore, it is apprehendedthat the encryption applied to digital video discs is broken and thecontent of these discs is brought to DVD manufacturing facilities toproduce DVD-video ROMs.

<4. Replication From Authorized DVD-video (Use of Analog Output)>

Because personal computers (hereafter appropriately referred to as PCs)are not content-dedicated devices, they have no liability to respond toCGMS-A (Copy Generation Management System-Analog) and macrovisionsignals for example which are recorded to each content storage medium ascopy control information. Therefore, copy control is not effectivelyimposed on personal computers, thereby making it practicable forpersonal computers to input the output from a DVD-video player into thevideo capture broad incorporated in each personal computer, therebycopying the video data to the personal computer's HDD (Hard Disc Drive).The video data recorded to the HDD is ready to be written to recordableDVDs any time in the state of plaintext. It is also practicable to bringthe content thus obtained to DVD manufacturing facilities to produceDVD-video ROMs.

If the recording media which illegally copied are distributed on themarket, the benefits of the copyright holders of various content itemssuch as music and movies or the benefits of authorized dealers thereofwould be seriously damaged.

It should be noted that, for a technique of preventing the unauthorizeduse of content, the applicant hereof proposed encryption processingtechniques in which different keys are applied to the data blocks ofcontent to be stored in a recording medium, which are disclosed inpatent document 1 (Japanese Patent Laid-open No. 2001-351324) and patentdocument 2 (Japanese Patent Laid-open No. 2002-236622) for example. Tobe more specific, a seed is set as the key generation information foreach data block and the seed set to each block is applied to thegeneration of cryptographic key to make complicated the contentencryption conventionally practiced with only a single key, therebyenhancing the difficulty of breaking cryptographic algorithms.

However, in the process of manufacturing and marketing the informationrecording media such as content-recorded CDs and DVDs, content or thekey information and so on associated with the encryption of content isdistributed among various external business entities.

Problems here are that, in the current situation, no properconfiguration has been realized in which the content management and keyinformation management in the manufacture and distribution ofcontent-recorded information recording media are executed in acentralized and effect manner, thereby making it difficult to trace theroute of the distribution of illegal copy media. Especially, it isdifficult to distinguish the media coming into the market as a result ofthe theft by content authors or disc manufacturers themselves from theauthorized products, thereby making the problem more serious.

DISCLOSURE OF INVENTION

It is therefore an object of the present invention to provide aninformation recording medium, a data processing method, an a computerprogram which, in a configuration in which content recorded to variousinformation recording media such as DVD and CD is used on reproductiondevices and information processing devices such as personal computers,can check whether the content-recorded information recording media arein the authorized manufacturing and sale routes consisting of authorizedentities managed by a trusted center, ensure the copyright protection ofcontent by enabling its reproduction on the basis of the result of thischeck, and realize the prevention of the leakage of the identificationinformation of each entity recorded to each information recordingmedium.

In carrying out the invention and according to one aspect thereof, thereis provided an information recording medium storing encrypted content,the information recording medium having a configuration in which contentand an entity code set for each entity in a manufacturing route of theinformation recording medium and data included in a certain encryptionprocessing unit is encrypted by a key generated on the basis of a seedproviding encryption processing key generating information set for eachthe encryption processing unit and the entity code is stored in anencrypted area which is encrypted by the key generated on the basis ofthe seed, the encrypted area not overlapping an area to which the seedis set.

In the above-mentioned information recording medium according to theinvention, the encryption processing unit is set as a collective dataarea of a plurality of packets and the seed is set as data having thepredetermined number of bits from start data of a start packet of theencryption processing unit and the entity code is stored as a payload ofeach of the plurality of packets and stored in a data area notoverlapping an area of bits constituting the seed.

In the above-mentioned information recording medium according to theinvention, the entity code is stored in a program map table (PMT)specified by the MPEG standard and the entity code provides dataconstituting a start packet of a plurality of divided packets storingthe program map table (PMT) in a program information area of the programmap table (PMT).

In the above-mentioned information recording medium according to theinvention, the start packet of the plurality of divided packets is atransport stream packet having a payload of 183 bytes and the entitycode is stored as data within 183 bytes from start data of the programmap table (PMT) in the program information area of the program map table(PMT).

In the above-mentioned information recording medium according to theinvention, the entity code is stored in a program map table (PMT)specified by the MPEG standard, the program map table (PMT) is stored asa payload of each of a plurality of transport stream packets in adivided manner, and each of the plurality of transport stream packet isattached with timestamp information to be stored in the informationrecording medium as a source packet in a distributed manner.

In the above-mentioned information recording medium according to theinvention, the information recording medium includes a first seed, whichis key generating information set for each the encryption processingunit, an encrypted second seed, which is key generating informationencrypted on the basis of a first block key Kb1 generated by the firstseed, and encrypted content and an encrypted entity code encrypted onthe basis of a second block key Kb2 generated on the basis of the secondseed.

In the above-mentioned recording medium according to the invention, theentity code includes an authoring studio code (ASC) and a discmanufacturer code (DMC).

In carrying out the invention and according to a second aspect thereof,there is provided a data processing method for generating data to bewritten to an information recording medium, including: an entity codesetting step in which a position at which an entity code set for anentity in a manufacturing route of the information recording medium isset is controlled to set the entity code in a control information table;a table information stored packet generating step in which a pluralityof packets in which the control information table is stored in a dividedmanner are generated; a step in which the plurality of table informationstored packets are arranged in a content stored packet sequence in adistributed manner; and a step in which data included in a certainencryption processing unit is encrypted by use of a key generated on thebasis of a seed which is encryption processing key generatinginformation set for each the encryption processing unit; wherein theentity code setting step includes a step in which control is executedsuch that the entity code is included in an encrypted area encrypted bya key generated on the basis of the seed without overlapping an area towhich the seed is set.

In the above-mentioned data processing method, the encryption processingunit is a collective data area of a plurality of packets, the seed isdata having the predetermined number of bits from start data of a startpacket of the encryption processing unit, and the entity code settingstep includes a step in which the entity code is set to a data areawhich does not overlap an area of bits constituting the seed.

In the above-mentioned data processing method, in the entity codesetting step, the entity code is set in a program information area ofthe program map table (PMT) specified by the MPEG standard and to aposition of data constituting a start packet of a plurality of dividedpackets storing the program map table (PMT).

In the above-mentioned data processing method, the start packet of theplurality of divided packets is a transport stream packet having apayload of 183 bytes and, in the entity code setting step, the entitycode is set as data the program information area of the program maptable (PMT) and within 183 bytes from start data of the program maptable (PMT).

In carrying out the invention and according to a third aspect thereof,there is provided a computer program for executing the processing ofgenerating data to be written to an information recording medium,including: an entity code setting step in which a position at which anentity code set for an entity in a manufacturing route of theinformation recording medium is set is controlled to set the entity codein a control information table; a table information stored packetgenerating step in which a plurality of packets in which the controlinformation table is stored in a divided manner are generated; a step inwhich the plurality of table information stored packets are arranged ina content stored packet sequence in a distributed manner; and a step inwhich data included in a certain encryption processing unit is encryptedby use of a key generated on the basis of a seed which is encryptionprocessing key generating information set for each the encryptionprocessing unit; wherein the entity code setting step includes a step inwhich control is executed such that the entity code is included in anencrypted area encrypted by a key generated on the basis of the seedwithout overlapping an area to which the seed is set.

According to the present invention, the entity codes such as authoringstudio code (ASC) and the disc manufacturer code (DMC) can be encryptedwithout failure and stored in information recording media to preventthese entity codes from being leaked outside. Therefore, the novelconfiguration can prevent the manufacturing of the recording media inwhich stored an illegally obtained copy of content made by use of theseentity codes that are illegally obtained by masquerading entities. To bemore specific, the data setting locations in program map table (PMT) iscontrolled such that these entity codes will not overlap the seed areathat provides key generating information, so that, if the packet storingthe program map table storing authoring studio code (ASC) and discmanufacturer code (DMC) is set to an arbitrary position in a contentpacket sequence, these entity codes will not overlap the seed area thatis non-encrypted data, thereby preventing these entity codes from beingleaked outside.

Further, in the novel configuration, authoring studio code (ASC) anddisc manufacturer code (DMC) are stored in each information recordingmedium along with encrypted content and the encrypted content can bereproduced only when the detection and matching of these entity codesare successfully executed, so that any attempt to reproduce contentstored in any recording medium having the illegally obtained codes orany information recording medium that stores none of these entity codesis defeated, thereby allowing the reproduction of only the contentstored in the recording media that have been manufactured on the basisof authorized manufacturing routes. In case the manufacturing anddistributing of unauthorized replications should happen, thisconfiguration also allows the easy tracing of information leakage routesby the detection of authoring studio code (ASC) and disc manufacturercode (DMC).

Still further, in the novel configuration, the code information of eachentity is stored in each information recording medium, so that only thecontent authoring entity and information recording medium manufacturingentity that are managed by the trusted center are allowed to authorcontent and manufacture the information recording media storing theauthored content, thereby making it practicable, in case of the illegalreplication of the information recording media, to trace informationleakage routes on the basis of the detection of these entity codes.

It should be noted that the computer program according to the inventionis a computer program that can be provided to any general-purposecomputer system that can execute various program codes, in thecomputer-readable forms of recording media such as CD, DVD, MO forexample and communication media such as networks. The provision of theprogram in computer-readable forms realizes the processing correspondingto the program on the computer systems.

Many other features, advantages, and additional objects of the presentinvention will become manifest to those versed in the art upon makingreference to the detailed description which follows and the accompanyingsheet of drawings. It should be noted that term “system” as used hereindenotes a logical aggregation of plural devices and is not restricted toa configuration in which all its components are accommodated in a singlehousing.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a schematic diagram illustrating a data configuration in whichdata is stored in an information recording medium;

FIG. 2 is a schematic diagram illustrating routes of the management ofdata which is stored in an information recording medium and themanufacture thereof;

FIG. 3 shows a tree structure which is applied to the encryption anddistribution of various keys and data;

FIG. 4 shows exemplary enabling key blocks (EKBs) for use in thedistribution of various key and data;

FIG. 5 shows a schematic diagram illustrating exemplary distribution anddecryption processing by use of the enabling key block (EKB) of contentkey;

FIG. 6 shows a configuration in which data is stored in an informationrecording medium;

FIG. 7 is a schematic diagram illustrating a program map table PMT whichincludes an authoring studio code (ASC) and a disc manufacturer code(DMC) stored in an information recording medium;

FIG. 8 is a block diagram illustrating an exemplary configuration of aninformation processing device;

FIG. 9 is a block diagram illustrating content decryption andreproduction control processing which is executed in the informationprocessing device;

FIG. 10 is a block diagram illustrating the content decryptionprocessing which is executed in the information processing device;

FIG. 11 shows examples of disc-unique key generation processing;

FIG. 12 shows a sequence of decrypting encrypted data;

FIG. 13 is a block diagram illustrating content reproduction controlprocessing;

FIG. 14 is a flowchart indicative of procedures of content decryptionprocessing and reproduction control processing;

FIG. 15 is a flowchart indicative of the procedures of contentdecryption processing and reproduction control processing;

FIG. 16 shows examples of seed information storage configurations;

FIG. 17 is a block diagram illustrating data storage processing andencryption processing which are executed on an information recordingmedium for each entity;

FIG. 18 shows an exemplary configuration of program map table PMT dataincluding authoring studio code (ASC) and disc manufacturer code (DMC);

FIG. 19 shows an exemplary configuration of setting seed 2 for each AUas encryption processing unit;

FIG. 20 shows positions at which authoring studio code (ASC) and discmanufacturer code (DMC) are stored;

FIG. 21 shows positions at which authoring studio code (ASC) and discmanufacturer code (DMC) are stored;

FIG. 22 is a block diagram illustrating encryption processing which isexecuted by content authoring entity;

FIG. 23 is a block diagram illustrating encryption processing which isexecuted by information recording medium manufacturing entity;

FIG. 24 is a block diagram illustrating data storage processing andencryption processing which are executed on an information recordingmedium for each entity in a processing example with no disc ID used;

FIG. 25 is a schematic diagram illustrating a configuration of datawhich is stored on an information recording medium in a processingexample with no disc ID used;

FIG. 26 is a block diagram illustrating content decryption processingwhich is executed in an information processing device in a processingexample with no disc ID used; and

FIG. 27 is a block diagram illustrating an exemplary configuration of aninformation processing device which is applied to a user device and eachentity.

BEST MODE FOR CARRYING OUT THE INVENTION

The following details the information recording medium, data processingmethod, and computer program according to the invention.

[Overview of Data Recording Configuration on Recording Medium andManufacturing Process]

First, a data configuration in which data is stored on an informationrecording medium according to the invention and a process ofmanufacturing this information recording medium will be overviewed.Encrypted data stored on the information recording medium is read,decrypted, and reproduced on data recording/reproducing devices or PCs(Personal Computers).

The following describes data which is stored on the informationrecording medium according to the invention, with reference to FIG. 1.It should be noted that the information recording media according to theinvention include various types of information recording media such asoptical, magnetic, semiconductor, and flash memories and are notrestricted to disc-shaped memories.

As shown in FIG. 1, an information recording medium 100 stores a disc ID101, a physical index 102, encrypted content 103, a record seed (RECSEED) 104, and cryptographic key information 120. The cryptographic keyinformation 120 is stored in a lead-in area 110 which can be read on thebasis of a special program, this area being different from the contentstorage area of the information recording medium 100.

The cryptographic key information 120 includes various key informationnecessary for the decryption and reproduction of the encrypted content103 stored on the information recording medium 100. The followingdescribes the overview of the information which is recorded toinformation recording media and a route of manufacturing theseinformation recording media with reference to FIGS. 1 and 2.

As shown in FIG. 2, content to be stored on information recording mediais authored by a content authoring entity (AS: Authoring Studio) 330.The recording medium on which the authored content is recorded isreplicated in bulk at an information recording medium manufacturingentity (DM: Disc Manufacturer) 350 in the form of CD or DVD, theresultant information recording medium 100 being provided to users. Theinformation recording medium 100 is reproduced on an informationprocessing device 200 of each user.

The total management over the disc manufacturing, sale, and use of theinformation recording medium 100 is executed by a management center (TC:Trusted Center) 300. The management center (TC: Trusted Center) 300provides various kinds of information to the content authoring entity(AS: Authoring Studio) 330 and the information recording mediummanufacturing entity (DM: Disc Manufacturer) 350. On the basis of themanagement information supplied by the management center (TC: TrustedCenter) 300, the content authoring entity (AS: Authoring Studio) 330 andthe information recording medium manufacturing entity (DM: DiscManufacturer) 350 execute the authoring, encryption, key informationgeneration, and storage of content. Also, the management center (TC:Trusted Center) 300 manages and provides a device key to be stored inthe user's information processing device. The details of these pieces ofinformation will be described later.

The cryptographic key information 120 shown in FIG. 1 includes variouskinds of key information necessary for the decryption and reproductionof the encrypted content 103 stored in the information recording medium100. The cryptographic key information 120 is generated by the trustedcenter 300 and is provided to the information recording mediummanufacturing entity (DM: Disc Manufacturer) 350. The informationrecording medium manufacturing entity (DM: Disc Manufacturer) 350 storesthe cryptographic key information 120 supplied by the trusted center 300into the lead-in area 110 of the information recording medium 100.

The cryptographic key information 120 includes an EKB 121 as acryptographic key block stored by encrypting a media key Km necessaryfor the reproduction of content, an encrypted first title key eKm(Kt1)122 obtained by encrypting a first title key (Kt1) set in correspondencewith content or medium by a media key Km, an encrypted second title keyeKm(Kt2) 123 obtained by encrypting a second title key (Kt2) by themedia key, an encrypted ASC:eKt2(ASC) 124 obtained by encrypting anauthoring studio code (ASC) set in correspondence with a contentauthoring entity by a second title key (Kt2), and an encryptedDMC:eKt2(DMC) 125 obtained by encrypting a disc manufacturer code (DMC):Disc Manufacturer Code) by the second title key (Kt2).

It should be noted that the authoring studio code (ASC) and the discmanufacturer code (DMC) are identification information which is by thetrusted center to the external business entities acknowledged to beauthentic by the trusted center in the routes of manufacturing andmarketing the information recording media recorded with content. In thepresent embodiment, examples will be described in which these codes arecode data set as an authoring studio identifier and a disc manufactureridentifier respectively. For example, these codes may be set for eachmanufacturing unit (or lot) or order unit of recording media.Alternatively, these codes may be set for each piece of content to berecorded to recording media. It is also practicable to set these codesas those which include date information such as order date ormanufacture date of recording media in which content is stored. Thedetails of the storage forms of these code data will be described later.

The EKB 121 denotes an enabling key block which can get a media keynecessary for content decryption only by the processing (or decryption)based on a device key stored in the information processing device ofeach user having a valid license key. The key information block enablesthe key acquisition based on the validity of the license granted to theuser device (or the information processing device) by an informationdistribution method based on a so-called hierarchical tree structure,thereby preventing the acquisition of the key (or the media key) of therevoked user device. By changing the key information to be stored inEKB, the trusted center can generate an EKB that has a configuration inwhich encrypted content cannot be decrypted by the device key stored ina particular user device, namely the media key necessary for contentdecryption cannot be acquired.

The following describes the processing of providing encrypted data suchas cryptographic keys to which a hierarchical tree structure is applied,with reference to drawings. Numbers 0 through 15 shown at the bottom ofFIG. 3 indicate user devices functioning as information processingdevices on which content is used for example. Namely, the leaves of thehierarchical tree shown in FIG. 3 respectively correspond to the userdevices.

Devices 0 through 15 each store, in its memory, keys (or node keys)allocated to its node starting with its leaf and ending with the rootand a key set (device key (DNK: Device Node Key) composed of the leafkeys of each leaf). K0000 through K1111 indicated at the bottom of FIG.3 are the leaf keys respectively allocated to the devices 0 through 15.The keys shown between a KR (root key) at top and those shown on thesecond node from bottom, KR through K111 for example, are node keys.

In the tree structure shown in FIG. 3, device 0 for example has leaf keyK0000 and node keys K000, K00, K0, and KR, as its device keys. Device 5for example has K0101, K010, K01, K0, and KR. Device 15 for has K1111,K111, K11, K1, and KR. It should be noted that the tree shown in FIG. 3has only 16 devices, 0 through 15, and four layers in a symmetricalmanner; obviously, the tree can be more devices and the layers insidethe tree may be arranged in an asymmetrical manner.

The devices included in the tree structure shown in FIG. 3 includevarious types of devices which use various media, such as the DVD, theCD, the MD, the flash memory, and so on adapted to be used asincorporated in the device or removable therefrom. Moreover, variousapplication services may exist together in these devices. The layeredtree structure of the content or key distribution configuration as shownin FIG. 3 is applied on the basis of such configuration in which variousdevices and various applications exist together.

In a system in which these various kinds of devices and applicationsexist together, a portion enclosed by a dashed line for example shown inFIG. 3, namely devices 0, 1, 2, and 3, are set as one group that uses asame recording medium. For example, such processing is executed on thedevices in this group enclosed by a dashed line as the provision ofcommon content from a provider by encrypting and transmitting thecontent via a network or in an information recording medium like CD, thetransmission of a content key which can be commonly used by all of thesedevices, and the output of encrypted content fee payment data from eachof these devices to the provider or an accounting settlementorganization. The entities such as content servers, license servers, andshop servers which execute data transmission/reception with devices canexecute the processing of transmitting data in a lump to the portionenclosed by dashed line shown in FIG. 3, namely devices 0, 1, 2, and 3,as one group. There are two or more groups of this kind in the treeshown in FIG. 3.

It should be noted that the node keys and the leaf keys may becollectively managed by one managing system having trusted centercapabilities or may be managed by a configuration in which themanagement is executed on a group basis by message data distributionmeans such as a provider or an accounting settlement organization whichexecutes various data transmission/reception operations with each group.These node keys and leaf keys are renewed if key leakage occurs forexample. This renewal processing may be executed by a management system,a provider, or an account settlement organization that has keymanagement center capabilities.

As seen from FIG. 3, in the above-mentioned tree structure, threedevices 0, 1, 2, and 3 included in one group each have a device key(DNK: Device Node Key) which includes common keys K00, K0, and KR as thedevice key (DNK: Device Node Key). Use of this node key sharingconfiguration allows the provision of the common keys only to devices 0,1, 2, and 3. For example, the commonly owned node key K00 becomes anowned key common to devices 0, 1, 2, and 3. Also, the distribution ofvalue Enc(K00, Knew) obtained by encrypting new key Knew by node key K00to devices 0, 1, 2, and 3 via a network or in a recording medium allowsonly devices 0, 1, 2, and 3 to get new key Knew by decrypting encryptionEnc(K00, Knew) by use of common node key K00 owned by each device. Itshould be noted that Enc(Ka, Kb) denotes the data obtained by encryptingKb by Ka.

If the keys K0011, K001, K00, K0 and KR owned by device 3 were broken bya hacker for exposure at time t for example, it is subsequentlynecessary to disconnect device 3 from the system in order to protect thedata which is transmitted/received in the system (the group of devices0, 1, 2, and 3). To do so, it is required to renew node keys K001, K00,K0, and KR to new keys K(t)001, K(t)00, K(t)0, and K(t)R and transmitthese new keys to devices 0, 1, and 2. K(t)aaa denotes the renewal keyof generation t of key Kaaa.

The following describes renewal key distribution processing. Key renewalprocessing is executed by supplying a table composed of block datacalled an enabling key block (EKB) shown in FIG. 4(A) for example todevices 0, 1, and 2 via a network or in a recording medium. It should benoted that an enabling key block (EKB) is composed based on an encryptedkey for distributing the renewal keys to the devices corresponding tothe leaves in a tree structure as shown in FIG. 4. An enabling key block(EKB) is also referred to as a key renewal block (KRB).

The enabling key block (EKB) shown in FIG. 4(A) is configured as blockdata which has a data configuration in which can be renewed only by thedevice of which node keys must be renewed. The example shown in FIG. 4shows the block data formed for the purpose of distributing the renewalnode keys of generation t in devices 0, 1, and 2 in the tree structureshown in FIG. 3. As seen from FIG. 3, devices 0 and 1 require K(t)00,K(t)0, and K(t)R as renewal node keys and device 2 requires K(t)001,K(t)00, K(t)0, and K(t)R as renewal node keys.

As shown in the EKB of FIG. 4(A), the EKB includes a plurality ofencrypted keys. The encrypted key shown at the bottom is Enc(K0010,K(t)001). This is the renewal node key K(t)001 encrypted by leaf keyK0010 owned by device 2. Device 2 can decrypt this encrypted key by itsown leaf key to get K(t)001. By use of K(t)001 obtained by decryption,the encrypted key Enc(K(t)001, K(t)00) on the second row from bottomshown in FIG. 4(A) can be decrypted to get renewal node key K(t)00.Subsequently, encrypted key Enc(K(t)00, K(t)0) on the second row fromtop shown in FIG. 4(A) is decrypted to get renewal node key K(t)0 andencrypted key Enc(K(t)0, K(t)R) on the top row shown in FIG. 4(A) aredecrypted to get K(t)R.

On the other hand, with devices K0000 and K0001, node key K000 is notincluded in the keys to be renewed; the necessary nodes keys are K(t)00,K(t)0, and K(t)R. With devices K0000 and K0001, encrypted key Enc(K000,K(t)00) on the third row from top shown in FIG. 4(A) is decrypted to getK(t)00, encrypted key Enc(K(t)00, K(t)0) on the second row from top isdecrypted to get renewal node key K(t)0, and encrypted key Enc(K(t)0,K(t)R) on the top row shown in FIG. 4(A) is decrypted to get K(t)R.Thus, devices 0, 1, and 2 can get renewal key K(t)R. It should be notedthat the index shown in FIG. 4(A) indicates the absolute addresses ofthe node keys and leaf keys for use as decryption keys.

If the renewal of node keys K(t)0 and K(t)R on the upper row in the treestructure shown in FIG. 3 is unnecessary and the renewal of only nodekey K00 is necessary, then use of the enabling key block (EKB) shown inFIG. 4(B) allows the distribution of renewal node key K(t)00 to devices0, 1, and 2.

The EKB shown in FIG. 4(B) can be used if a media key Km which can beobtained only in a particular group is distributed, for example. It isassumed for example that a media key Km which can be used only ondevices 0, 1, 2, and 3 in the group enclosed by dashed line shown inFIG. 3 be distributed. At this time, data Enc(K(t)00, K(t)m) obtained byencrypting a new media key Km by use of K(t)00 obtained by renewing nodekey K00 common to devices 0, 1, 2, and 3 is distributed along with theEKB shown in FIG. 4 (B). This distribution allows the distribution ofthe data which cannot be decrypted by other devices as device 4 forexample.

Namely, with devices 0, 1, and 2, decrypting the above-mentionedciphertext by use of K(t)00 obtained by processing the EKB allows theacquisition of the key at time t, media key K(t)m to be applied tocontent encryption/decryption for example.

FIG. 5 shows an example of processing for obtaining the key at time t,media key K(t)m which is applied to content encryption/decryption forexample. It is assumed that the EKB store data Enc(K(t)00, K(t)m)obtained by encrypting media key K(t)m by use of K(t)00, along with thedata shown in FIG. 4 (B). In this example, device 0 is used.

As shown in FIG. 5, device 0 generates node key K(t)00 by the same EKBprocessing as described above, by use of the EKB at generation t storedin a recording medium and node key K000 stored in device 0 in advance.Further, by use of decrypted renewal key K(t)00, device 0 decryptsencrypted data Enc(K(t)00, K(t)m) to get renewal media key K(t)m.

Another example is possible in which only the devices may be obtainedthat does not require the renewal of node keys in a tree structure butrequires only media key K(t)m at time t. In this case, a method shownbelow may be used.

It is assumed here that media key K(t)m be transmitted to only devices0, 1, and 2 as with the example shown in FIG. 3. In this case, EKB is asfollows:

Version: t

Index : Encrypted key

000: Enc(K000, K(t)m)

0010: Enc(K0010, K(t)m)

Devices 0 and 1 can use K000 and device 2 can use K0010 to decrypt oneof ciphertexts of the above-mentioned EKB, thereby getting a contentkey. This configuration enhances the efficiency of a method of giving acontent key to necessary devices although node key renewal cannot beexecuted (namely, this configuration reduces the size of EKB by reducingthe number of ciphertexts included in EKB as well as the number of timesencryption is executed at the trusted center and decryption is executedat each device).

The following describes the details of other data which is stored in theinformation recording medium 100 with reference to FIG. 1 again. Thedisc ID 101 an information recording medium ID which is an identifierunique to each information recording medium. The disc ID 101 is themanagement information which is generated by the trusted center 300 andpassed to the information recording medium manufacturing entity 350,being different for each disc. For example, the trusted center 300generates a seed (S) which is different for each disc and generates, forthe number of discs allowed by the trusted center, data (S, Sig)attached with electronic signature (Sig) for verification of alteration,providing the generated data to the information recording mediummanufacturing entity 350. The information recording medium manufacturingentity 350 stores the ID information (S, Sig) which is different foreach disc into each information recording medium (or each disc).

In the information processing device of the user who executes contentreproduction, the ID information (S, Sig) stored in an informationrecording medium (or a disc) is read. If the ID information is found bysignature verification processing to be unaltered, then the proceduremoves to content decryption processing. It should be noted that thesignature may include the signature based on the public key cryptographyor the signature based on the common key cryptography such as MAC. Inthe application of the signature based on the public key cryptography,the trusted center 300 executes signature generation based on privatekey and the information processing device of each user executessignature verification based on the public key of the trusted center300. In the case of the common key method, a common signature key isshared between the trusted center and the user device to executesignature generation and verification processing. The processing to beexecuted by the information processing device of the user (or the userdevice) will be described later.

The physical index 102 which is stored in the information recordingmedium shown in FIG. 1 is generated by the information recording mediummanufacturing entity 350 and stored in the information recording medium.The record seed (REC SEED) 104 is generated by the content authoringentity 330 and passed to the information recording medium manufacturingentity 350 to be stored in the information recording medium.

The encrypted content 103 stores a program map table PMT which includesauthoring studio code (ASC) and disc manufacturer code (DMC). PMT whichis the information including authoring studio code (ASC) and discmanufacturer code (DMC) and is embedded in content at the contentauthoring entity 330. In addition, the encrypted content 103 storesauthoring studio code (ASC: Authoring Studio Code) as electronicwatermark (WM: WaterMark) and disc manufacturer code (DMC). Theembedding of these codes is executed at the trusted center 300. Thedetail sequence of the processing of embedding various data into theinformation recording medium will be described later.

The encrypted content which is stored in each information recordingmedium is configured as a transport stream (TS) as the encoded dataspecified by the MPEG-2 system for example. A transport stream canconfigure two or more programs in it and has ATS (Arrival TimeStamp)providing the information indicative of the timing of occurrence of eachtransport packet. This timestamp is determined at the time of encodingso that T-STD (Transport Stream System Target Decoder), a virtualdecoder specified in the MPEG-2 system, is not failed and controls theoccurrence timing by the ATS added to each transport packet at the timeof stream reproduction to decrypt and reproduce the transport stream.

For example, in recording transport stream packets to a recordingmedium, the packets are recorded as source packets with the intervalstherebetween closed up. Storing the occurrence timing of each transportpacket in the recording medium along with the transport packets allowsthe control of the output timing of each packet at the time of itsreproduction.

The overviews, the recording configuration of data stored in aninformation recording medium and the processing of recorded datadecryption and reproduction, will be hereinafter described withreference to FIG. 6. The data stored in each information recordingmedium is encrypted data; therefore its reproduction requires itsdecryption. FIG. 6(a) shows a data recording configuration in which datais stored in an information recording medium. Control data (User ControlData) of 18 bytes and user data of 2048 bytes are configured as onesector data; for example, data equivalent to three sectors is specifiedas one unit of encryption processing. It should be noted that the bytecount and processing unit described herein are nothing but examples;therefore, various other byte counts of control data and user data andthe processing units may be set.

(b) shows a configuration of one unit (1 AU: Aligned Unit) in whichencryption processing is executed. The information processing devicewhich executes the reproduction of encrypted data stored in aninformation recording medium extracts one AU (Aligned Unit) which is aencryption processing unit on the basis of a flag in the control data.

One unit (1 AU) which is an encryption processing unit includes an areaencrypted by block key Kb1 and an area encrypted by block key Kb2 asshown in (c) encrypted configuration. Alternatively this unit mayinclude an area which is encrypted in a duplicate manner by use of blockkeys Kb1 and Kb2. Generating the block keys requires seed informationwhich is key generating information. Seed information (seed 1) is keygenerating information for generating block key Kb1 and seed information(seed 2) is key generating information for generating block key Kb2. Forthese pieces of key generating information, 128-bit information or64-bit information extracted, for each encryption processing unit (1AU), from the stored information in the encryption processing unit,namely, the control information and a data sequence such as content inthe user data area. The seed information storage mode and encryptionmode shown in FIG. 6(c) are nothing but examples. Other exemplaryconfigurations will be described later.

Decrypting the encrypted content stored in the user data area requiresto read the seed information from the information recording medium,generate keys (block keys) based on the seed information, and executedecryption processing by use of the generated block keys.

As shown in FIG. 6(c), seed information (seed 1) necessary forgenerating block key Kb1 and seed information (seed 2) necessary forgenerating block key Kb2 are stored on the information recording medium.At the same time, seed information (seed 2) is stored as encrypted byblock key Kb1 generated by seed information (seed 1). A program maptable (PMT) including authoring studio code (ASC) and disc manufacturercode (DMC) is stored in the encrypted content. In addition, contentauthoring studio code (ASC: Authoring Studio Code) and disc manufacturercode (DMC: Disc Manufacturer Code) are also stored as electronicwatermark (WM: WaterMark).

Thus, the data on which encryption processing is executed by use of twodifferent keys is stored in the recording medium and the encrypted datais decrypted by applying the two keys at the time of reproduction.

After the decryption processing executed on one processing unit basis,the decrypted transport stream packet is inputted in an MPEG-2 decoderand executed decoding process, and the decoded packet is reproduced. Oneprocessing unit (three sectors) includes 32 transport stream (TS)packets for example. Namely, 32×192=6144-byte data is regarded as oneencryption and decryption processing unit. It should be noted that otherprocessing units may be set as required.

At the time of decryption and reproduction, two pieces of seedinformation (seed 1 and seed 2) are obtained from the informationrecording medium for each processing unit, two block keys Kb1 and Kb2are generated on the basis of the obtained seed information, anddecryption processing is executed by use of the generated block keys Kb1and Kb2, thereby reproducing the content.

At the recording of content, the processing which is reverse to thedecryption and reproduction processing is executed; namely, two piecesof seed information (seed 1 and seed 2) are set for each processingunit, two block keys Kb1 and Kb2 are generated on the basis of the seedinformation, and the encryption processing is executed by use of thegenerated block keys Kb1 and Kb2, thereby recording the content.

As described above, each content recording medium such as DVD stores theencrypted content and a program map table PMT (Program Map Table)including authoring studio code (ASC) and disc manufacturer code (DMC).The program map table PMT including these codes is embedded in thecontent at the content authoring entity 330 (refer to FIG. 2).

The following describes a method in which the program map table PMTincluding authoring studio code (ASC) and disc manufacturer code (DMC)is embedded in content. It should be noted that authoring studio code(ASC) and disc manufacturer code (DMC) may be not only the code data setas authoring studio identifier and disc manufacturer identifier asdescribed before but also the setting codes for each disc manufacturingunit (or lot) and each order unit or the codes set for each piece ofcontent to be stored in each recording medium. Further, these codes maybe set as the codes which include the date and time of ordering ormanufacturing the content storage recording medium.

In the present embodiment, an example of application of authoring studiocode (ASC) and disc manufacture code (DMC) is described asidentification codes. It is also practicable in the present embodimentto give identification information (or codes) corresponding to theentities managed by the trusted center, various entities which exist inthe processes of manufacturing and distribution of content recordingmedia for example, thereby enabling the management based on theidentification codes to be given to these entities. The followingdescribes an exemplary management configuration in which the entities tobe managed by the trusted center are an authoring studio and a discmanufacturer, and the identification codes corresponding to theseentities are authoring studio code (ASC) and disc manufacturer code(DMC).

FIG. 7 shows an example in which program map table PMT data includingauthoring studio code (ASC) and disc manufacturer code (DMC) is insertedin content. A program map table PMT shown in FIG. 7(a) is set asinformation which includes various control information andidentification information in addition to authoring studio code (ASC)and disc manufacturer code (DMC), and has a variable data length.

As shown in FIG. 7(b), this program map table (PMT) is stored as dividedinto payload portions of two or more TS packets (188 bytes long each).The number of TS packets corresponds to the data length of the programmap table (PMT). Each payload is preceded by a 4-byte TS packet header.Each TS packet storing the divided data of the program map table (PMT)is further attached with timestamp information and copy controlinformation (CCI: Copy Control Information) as shown in FIG. 7(c) toprovide a source packet (192 bytes long).

The encrypted content itself stored in a recording medium also consistsof many source packets. Program map table (PMT) data stored sourcepackets (PMT packets) are arranged in each encrypted content storedsource packet in a distributed manner as shown in FIG. 7(d). Thelocation of each PMT packet in a content packet is not specified andtherefore each PMT packet can be arranged at any position.

However, it is necessary for the PMT packets to be stored such that theentire program map table (PMT) data can be read within a certain contentreproduction period (0.1 second for example). As shown in FIG. 7(e), theentire data of the program map tables (MPT) distributed as two or morepackets in a content source packet sequence is arranged so that it canbe read repeatedly within a certain reproduction period (0.1 second forexample).

As shown in FIG. 7(d), a collection of 32 source packets provides oneunit (1 AU: Aligned Unit) of 6144 bytes which is encryption processingunit, which has the configuration described above with reference to FIG.6. If content is recorded by use of the transport stream formatspecified in the ISO/IEC 13818-1:1996 (MPEG system), it is necessary torecord the above-mentioned program map table (PMT). The PMT is recordedto a TS packet having PID specified by PAT (Program Association Table).

However, the related-art program map table (PMT) does not define therecording of authoring studio code (ASC) and disc manufacturercode.(DMC) described herein. The processing of embedding authoringstudio code (ASC) and disc manufacturer code (DMC) to be executed ateach authoring studio will be detailed later.

[Configuration of Information Processing Device]

Referring to FIG. 8, there is shown a block diagram illustrating theinformation processing device 200 practiced as one embodiment of theinvention for executing the processing of recording/reproducing contenthaving the above-mentioned encrypted content form described above. Theinformation processing device 200 has a input/output I/F (Interface)220, an MPEG (Moving Picture Experts Group) codec 230, an input/outputI/F (Interface) 240 having an A/D & D/A converter 241, encryptionprocessing means 250, reproduction control processing means 255, a ROM(Read Only Memory) 260, a CPU (Central Processing Unit) 270, a memory280, a drive 290 of a recording medium 295, and transport streamprocessing means (or TS processing means) 298, which are interconnectedby a bus 210.

The input/output I/F 220 receives a digital signal constituting variouspieces of content such as image, sound, and program supplied from theoutside, outputting it to the bus 210, and receives a digital signalfrom-the bus 210, outputting it to the outside. The MPEG codec 230MPEG-decodes the MPEG-encoded data supplied via the bus 210, outputtingthe decoded data to the input/output I/F 240, and MPEG-encodes a digitalsignal supplied from the input/output I/F 240, outputting the encodedsignal to the bus 210. The input/output I/F 240 incorporates the A/D &D/A converter 241. The input/output I/F 240 receives an analog signalsupplied as content from the outside and A/D-converts the receivedsignal through the A/D & D/A converter 241, outputting the resultantdigital signal to the MPEG codec 230, and D/A-converts a digital signalsupplied from the MPEG codec 230 through the A/D & D/A converter 241,outputting the resultant analog signal to the outside.

The encryption processing means 250, based on a single-chip LSI (LargeScale Integrated Circuit) for example, encrypts or decrypts a digitalsignal supplied via the bus 210 as content, outputting the resultantsignal to the bus 210. The reproduction control processing means 255executes various processing operations for verification in contentreproduction. If no reproduction condition is satisfied, thereproduction control processing means 255 stops content reproductionprocessing. The encryption processing means 250 and the processingexecuted thereby will be detailed later.

It should be noted that the encryption processing means 250 is notrestricted to a single-chip LSI; a combination of various softwareprograms or hardware devices may also be used to constitute theencryption processing means. In the figure, the encryption processingmeans 250 and the reproduction control processing means 255 are shown asseparate blocks; these blocks may also be practiced as the processingwhich is executed by a program to be executed under the control of theCPU 270, for example.

The ROM 260 stores a device key unique to each information processingdevice or unique to each group of information processing devices and anauthentication key necessary for mutual authentication. The device keyis used to get a media key by decrypting EKB (Enabling Key Block) as theencrypted key block information which is provided on the basis of a keydistribution tree structure, for example. Namely, the device key isapplied as media key generating information.

The CPU 270 executes programs stored in the memory 280 to control theMPEG codec 230, the encryption processing means 250, and so on. Thememory 280, which is a nonvolatile memory for example, stores programsto be executed by the CPU 270 and the data necessary for the operationof the CPU 270. If the memory 280 is a nonvolatile memory, it can alsostore the device key; in the description of following embodiments of theinvention, it is assumed that the device key be stored in the memory280. The drive 290 drives the recording medium 295 on which digital datacan be recorded and reproduced to read (or reproduce) digital data fromthe recording medium 295, outputting the digital data to the bus 210,and supplies digital data received from the bus 210 to the recordingmedium 295, recording the supplied digital data thereto.

The recording medium 295 is a digital data recordable medium such as theoptical disc like DVD or CD, magneto-optical disc, the magnetic disc,the magnetic tape, or the semiconductor memory like flash ROM, MRAM, orRAM, for example, providing an information recording medium which storesvarious data described with reference to FIG. 1. In the presentembodiment of the invention, the recording medium 295 is removable fromthe drive 290. However, it is also practicable for the recording medium295 to be incorporated in the information processing device 200.

The transport stream processing means (TS processing means) 298 executesdata processing for extracting the transport stream packet correspondingto a particular piece of content from a transport stream multiplexedwith two or more pieces of content, and stores the information about atiming at which the extracted transport stream occurs into the recordingmedium 295 along with each packet. Also, at the time of decryption andreproduction, the transport stream processing means 298 execute theprocessing of transport stream occurrence timing control.

As described before, each transport stream has ATS (Arrival TimeStamp)as transport packet occurrence timing information. Timing control isexecuted on the basis of ATS at the time of decryption by the MPEG2decoder. If transport packets are recorded to a recording medium forexample, the transport stream processing means (TS processing means) 298records them as source packets with their intervals closed up. Storingthe occurrence timing of each transport packet into the recording mediumalong with each transport packet allows the control of the occurrencetiming of each packet at the time of reproduction.

The information processing device 200 according to the inventionexecutes the recording/reproduction of the encrypted content made up ofthe above-mentioned transport stream, for example. The details of theseprocessing operations will be described later. It should be noted thatthe encryption processing means 250 and the transport stream processingmeans (TS processing means 298 shown in FIG. 8 are shown as separateblock for ease of understanding; it is also practicable to configurethese means as a single-chip LSI which executes both functions orrealize these functions by a combination of software programs orhardware devices. Besides, it is also practicable to configure allblocks except for the drive 290 and the recording medium 295 as asingle-chip LSI or realize these functions by a combination of softwareprograms or hardware devices, thereby enhancing the robustness againstthe revocation of security capabilities due to the alteration of theinformation processing device 200.

[Data Reproduction Processing]

The following describes the decryption processing and reproductioncontrol processing of the encrypted data stored in a recording medium.As shown in FIG. 9, the content reproduction in the informationprocessing device 200 includes two steps of the decryption processing ofthe encrypted content in the encryption processing means 250 and thereproduction control processing in the reproduction control processingmeans 255.

Various kinds of information are read from the information recordingmedium 100, the encrypted content is decrypted by the encryptionprocessing means 250, the decrypted content is passed to thereproduction control processing means 255 to determine the reproductioncondition, and, if the reproduction condition is found satisfied, thecontent reproduction is continued; otherwise, the content reproductionis discontinued.

First, the following describes the details of the processing ofdecrypting encrypted content in the encryption processing means 250 withreference to FIG. 10 and on.

In the content decryption process, the encryption processing means 250reads a device key 410 from the memory. The device key 410 is a privatekey stored in each information processing device licensed for contentusage.

Next, in step S11, the encryption processing means 250 executesdecryption of the media key stored EKB stored in the informationrecording medium 100 by applying the device key 410, thereby obtainingmedia key Km.

In step S12, encrypted second title key eKm(Kt2) encrypted by media keyKm stored in the information recording medium 100 is decrypted by use ofmedia key Km obtained in the EKB processing of step S11, therebyobtaining second title key Kt2. Second title key Kt2 is outputted to thereproduction control processing means 255.

In step S13, the encrypted first title key eKm(Kt1) encrypted by mediakey Km stored in the information recording medium 100 is decrypted byuse of media key Km obtained in the EKB processing of step S11, therebyobtaining first title key Kt1.

In step S14, disc-unique seed (S) is obtained from the disc ID stored inthe information recording medium 100. The encryption processing means250 reads a disc ID 404 which is the identification information storedin the information recording medium 100 to execute the verification ofthe disc ID 404. The disc ID is data (S, Sig) having seed S which isdifferent for each disc and electronic signature (Sig) for alterationverification, which are generated by the trusted center 300. Theencryption processing means 250 reads the ID information (S, Sig) fromthe information recording medium 100 to check for any ID alteration bythe signature verification processing. In the case of the signaturebased on the public key cryptography, the signature verification by thepublic key of the trusted center 300 is executed. In the case of thecommon key cryptography, the signature verification processing isexecuted by use of the common key. If no ID alteration is found by thesignature verification processing, then, in step S14, disc-unique seed Sis obtained from the disc ID stored in the information recording medium100. If any ID alteration is found by the signature verificationprocessing, then the content decryption processing comes to a halt.

If no ID alteration is found by the signature verification processing,then, in step S15, disc-unique key Kd is generated by use of disc-uniqueseed S and title key K2. The disc-unique key may be actually generatedin any of the following methods for example. In one method, as shown inFIG. 11(a), with disc-unique seed S used as an input value, AES(Advanced Encryption Standard) which is a common key cryptography isexecuted by use of title key K2 as the encryption key. In anothermethod, as shown in FIG. 11(b), data generated by bit linkage betweentitle key K2 and disc-unique seed S is inputted in hash function SHA-1specified in FIPS 180-1 and a necessary data length is used from itsoutput as disc-unique key.

Further, the encryption processing means 250 generates first record key(REC key) K1 in step S16 on the basis of first title key Kt1 generatedin step S13 and a physical index 406 read from the information recordingmedium 100. Also, the encryption processing means 250 generates secondrecord key (REC key) K2 in step S17 on the basis of disc-unique key Kdgenerated in step S15 and a record seed (REC SEED) 405 read from theinformation recording medium 100. In the generation of these keys, AESencryption processing, hash function, and digest function are appliedappropriately.

Record keys K1 and K2 are required for use in the above-mentionedreproduction processing. The keys and recording processing which areapplied in also in the encryption processing for recording content toinformation recording media will be described later.

When two record keys (REC keys) 1 and 2 have been generated in steps S16and S17, then the procedure goes to step S18 in which encrypted content407 is read from the information recording medium 100 and decrypted bytwo block keys Kb1 and Kb2.

In step S18, seed information (seed 1) included in the controlinformation (UCD: User Control Data) is obtained from the encryptedcontent 407 stored in the information recording medium 100. In step S19,the encryption processing based on seed information (seed 1) and firstrecording key K1 generated in step S16 is executed to generate block keyKb1.

The following describes the processing which is executed subsequent tothe processing of generating block key Kb1 of step S19, with referenceto FIGS. 10 and 12.

In FIG. 12, the decryption processing is executed in processing unit420. This processing unit is equivalent to (b) processing unit describedbefore with reference to FIG. 6. Namely, this processing unit is oneunit (1 AU: Aligned Unit) which is encryption processing unit. Theencryption processing means 250 which executes the reproduction of theencrypted data stored in the information recording medium 100 extracts 1AU (Aligned Unit) which is encryption processing unit on the basis ofthe flag in the control data.

Processing unit 420 includes 18-byte control data (UCD: User ControlData) 421 and 6144-byte user data (including encrypted content). The6144-byte user data is divided by 192 bytes which are the unit oftransport stream packet. The following separately describes a TS packet422 at the beginning of the user data and a subsequent 5952-byte TSpacket group 423. In this example, seed information (seed 1) 431 isstored in control data 421 and seed information (seed 2) 432 is storedin the TS packet 422, in an encrypted form.

It should be noted that there are two or more ways in which the storageof seed information, seed 1 and seed 2, is stored. In what follows, onlyone of them is shown. The other methods will be described later.

With reference to FIG. 12, processing steps similar to those previouslydescribed with reference to FIG. 10 are denoted by the same numbers.

In step S19 (FIGS. 10 and 12), seed information (seed 1) 431 read fromthe control data stored in the information recording medium is inputtedin an AES encryption processing block to execute AES encryptionprocessing applied with record key K1 generated before in step S16,thereby generating block key Kb1. AES_G shown in FIG. 12 denotes keygeneration processing applied with AES encryption processing and AES_Ddenotes data decryption applied with AES encryption processing.

In step S20 (refer to FIGS. 10 and 12), AES decryption processingapplied with block key Kb1 generated in step S19 is executed. In stepS20, only the data part on which encryption processing applied withblock key Kb1 is performed is decrypted. In this example, a data areawhich includes at least seed information (seed 2) of the start TS packet422 of the user data is the data part on which encryption processingapplied with block key Kb1 is performed. Therefore, the decryptionprocessing applied with block key Kb1 is executed on the data area whichincludes this seed information (seed 2).

It should be note that there are several patterns in which the data parton which the encryption processing applied with block key Kb1 isperformed is related to which data area, which will be described later.

The start TS packet 422 includes seed information (seed 2) 432 which isnecessary for calculating block key Kb2 to be applied to the decryptionof another user data part, namely, the subsequent 5952-byte TS packetgroup 423. Namely, seed information (seed 2) 432 is recorded to thestart TS packet 422 as the encrypted data on which the encryptionprocessing applied with block key Kb1 has been performed.

As a result of the decryption processing applied with block key Kb1 instep S20, a decrypted TS packet 424 is calculated, from which seedinformation (seed 2) is extracted.

In selector step S21 shown in FIG. 10, from the result of the decryptionprocessing applied with block key Kb1, seed information (seed 2) isoutputted to block key Kb2 generating step of step S22, the encrypteddata encrypted by block key Kb2 is outputted to decryption step S23, andother decrypted data (non-encrypted data) to selector step S24.

In step S22 (refer to FIGS. 10 and 12), AES encryption processing isexecuted on the basis of seed information (seed 2) extracted from thedecrypted TS packet 424 obtained as a result of the decryptionprocessing applied with block key Kb1 in step S20 and record key K2generated in step S17 (refer to FIG. 10), thereby calculating block keyKb2.

Next, in step S23, the encrypted part (a data area 423 encrypted byblock key Kb2) of the user data part is decrypted by applying block keyKb2 to generate a decrypted TS packet group 425.

The decrypted TS packet group 425 and a decrypted TS packet 426(=decrypted TS packet 424) are linked in selector step S24 to beinputted in the reproduction control processing means 255 as content 412composed of decrypted TS packets.

The following describes the reproduction control processing which isexecuted in the reproduction control processing means 255 with referenceto FIG. 13. The reproduction control processing means 255 receivessecond title key (Kt2) 411 and the decrypted content 412 from theencryption processing means 250.

First, in step S31, the reproduction control processing means 255 readsencrypted ASC, namely, data eKt2(ASC) which is the authoring studio code(ASC: Authoring Studio Code) encrypted by second title key (Kt2), fromthe information recording medium 100 and decrypts this data by applyingsecond title key (Kt2) received from the encryption processing means250, thereby obtaining an authoring studio code (ASC), which is storedin the memory.

Further, in step S32, the reproduction control processing means 255reads encrypted DMC, namely, data eKt2 (DMC) which is disc manufacturercode (DMC) encrypted by second title key (Kt2), from the informationrecording medium 100 and decrypts this data by applying second title key(Kt2) received from the encryption processing means 250, therebyobtaining a disc manufacturer code (DMC), which is stored in the memory.

The reproduction control processing means 255 detects, from thedecrypted content 412 received from the encryption processing means 250,a program map table (PMT: Program Map Table) which includes authoringstudio code (ASC) and disc manufacturer code (DMC). The PMT is theinformation which includes authoring studio code (ASC) and discmanufacturer code (DMC), which is embedded in the content at the contentauthoring entity 330. In step S33, authoring studio code (ASC) detectionis executed. In step S34, disc manufacturer code (DMC) detection isexecuted.

In step S35, the authoring studio code (ASC) detected from the PMT iscompared with the authoring studio code (ASC) obtained by the decryptionof encrypted authoring studio code eKt2 (ASC) and stored in the memory.

In step S36, the disc manufacturer code (DMC) detected from the PMT iscompared with the disc manufacturer code (DMC) obtained by thedecryption of the encrypted disc manufacturer code (DMC) eKt2 (DMC) andstored in the memory.

In step S37, the electronic watermark including authoring studio code(ASC) and disc manufacturer code (DMC) is detected from the content 412within a specified time to determine whether the electronic watermarkstored information matches the memory stored information. In thereproduction control processing means 255, its timer is set from thebeginning of content reproduction to determine whether the electronicwatermark including authoring studio code (ASC) and the discmanufacturer code (DMC) has been detected within a predetermined periodof time.

In step S38, it is determined whether matches have been found all in thecomparison in step S35, namely the comparison between the authoringstudio code (ASC) detected from the PMT and the authoring studio code(ASC) stored in the memory, and the comparison in step S36, namely, thecomparison between the disc manufacturer code (DMC) detected from thePMT and the disc manufacturer code (DMC) stored in the memory, andwhether the electronic watermark within a predetermined period of timein step S37 have been detected and matched.

In step S39, the content reproduction is continued if the determinationin step S38 is Yes; if the determination in step S38 is No, the contentreproduction is stopped.

The following describes, with reference to FIGS. 14 and 15, a sequenceof content reproduction processing in the information processing deviceas a user device on which content reproduction is executed.

In step S101, the information processing device (or the user device)reads cryptographic key information and identification information fromthe information recording medium. In step S102, title keys (Kt1, Kt2)are generated on the basis of the information read above and the devicekey stored in the information processing device concerned.

In step S103, disc ID (S, Sig) is read from the information recordingmedium and this disc ID is verified. If the verification fails, thecontent reproduction stops at this point of time. If the disc ID isfound successfully verified, then record keys K1 and K2 are generated instep S105.

In step S106, the encrypted ASC and the encrypted DMC read from theinformation recording medium on the basis of second title key (Kt2),namely, eKt2(ASC) and eKt2 (DMC), are decrypted, thereby storing theresultant authoring studio code (ASC) and disc manufacturer code (DMC)into the memory.

In step S107, block keys Kb1 and Kb2 are generated and the content isdecrypted and reproduced on the basis of the generated block keys Kb1and Kb2.

In step S108, the detection of PMT and electronic watermark is executed,while executing content reproduction. If the authoring studio code (ASC)is detected from the PMT in step S109, then the authoring studio code(ASC) detected in step S109 is compared with the authoring studio code(ASC) stored in the memory in step S110. If no match is found, then thecontent reproduction is stopped in step S121.

If a match is found, then the procedure goes to step Sill. If the discmanufacturer code (DMC) is found from the PMT, then the procedure goesto step S112, in which the detected disc manufacturer code (DMC) iscompared with the disc manufacturer code (DMC) stored in the memory. Ifno match is found, the content reproduction is stopped in step S121.

If a match is found, then the procedure goes to step S113. If authoringstudio code (ASC) and disc manufacturer code (DMC) are detected from theelectronic watermark information, then the procedure goes to step S114,in which the authoring studio code (ASC) detected in step S114 iscompared with the authoring studio code (ASC) stored in the memory andthe disc manufacturer code (DMC) detected in step S114 is compared withthe disc manufacturer code (DMC) stored in the memory. If no match isfound, the content reproduction is stopped in step S121.

In step S115, it is determined whether the PMT and the electronicwatermark information of authoring studio code (ASC) and discmanufacturer code (DMC) have been detected within a predetermined periodof time. If the PMT and the electronic watermark are found not detected,then the content reproduction is stopped in step S121.

The processing of detecting the PMT and the electronic watermark ofauthoring studio code (ASC) and disc manufacturer code (DMC) is repeatedat predetermined time intervals. As described with reference to FIG. 7,the PMT including authoring studio code (ASC) and disc manufacturer code(DMC) is repeatedly recorded at certain read time intervals (0.1 secondof reproduction interval, for example). The reproducing devicerepeatedly reads these pieces of information to execute comparisonprocessing. The same holds with the electronic watermark. Therefore, ina reproduction process started halfway in a particular piece of content,the verification of authoring studio code (ASC) and disc manufacturercode (DMC) based on PMT and electronic watermark can also be executedwithout failure.

However, if the PMT and the electronic watermark of one authoring studiocode (ASC) and one disc manufacturer code (DMC) have been detected and,if a match is found with the memory stored information, the subsequentrecord verification processing may be omitted.

As described above, the content stored in the information recordingmedium is encrypted by block keys Kb1 and Kb2 generated by seedinformation (seed 1) and seed information (seed 2). Because seedinformation (seed 2) is encrypted by the key generated by use of seedinformation (seed 1), namely block key Kb1, and the encrypted seedinformation is stored, the direct reading of the encrypted informationfrom the information recording medium cannot be practiced, therebyenhancing the robustness against the analysis of seed information (seed2), the analysis of block key Kb2 generated by use of seed information(seed 2), and the analysis of the encryption algorithm in which userdata is encrypted by block key Kb2.

Further, in the present configuration, authoring studio code (ASC) anddisc manufacturer code (DMC) are stored in the information recordingmedium along with the encrypted content and the encrypted content isreproduced only when these codes are successfully detected and verified,thereby stopping the reproduction of the content stored in a mediumhaving an unauthorized code or an information recording medium having nocode and allowing reproduction of only the content stored recordingmedia manufactured on the basis of an authorized manufacturing route. Ifthe replication of unauthorized information recording media ismanufactured and distributed, the detection of authoring studio code(ASC) and disc manufacturer code (DMC) allows the tracing of aninformation leakage route with ease.

The following describes an exemplary area which is encrypted by blockkey Kb1 generated on the basis of seed information (seed 1) and recordkey K, with reference to FIG. 16. FIG. 16 shows an example in which seedinformation (seed 1) is stored in the control block and seed information(seed 2) is included in one TS packet of user data. As described abovewith reference to FIG. 12, seed information (seed 2) is 128-bit data forexample. For this information, the information included in the head partof the head packet of one encryption processing unit (1 AU) is applied.

If seed information (seed 2) is stored in the packet, exemplary areaswhich are encrypted by block key Kb1 generated by seed information (seed1) and record key K1 are as shown in FIG. 16(a) through FIG. 16(c). FIG.16(a) shows an example in which only seed information (seed 2) isencrypted by block key Kb1. The other areas are made non-encrypted areasor the data areas encrypted by block key Kb2 generated by seedinformation (seed 2) and record key K2.

FIG. 6(b) shows an example in which a partial area of a TS packetincluding seed information (seed 2) is encrypted by block key Kb1.

FIG. 6(c) shows an example in which the entire area of one TS packetincluding seed information (seed 2) is encrypted by block key Kb1.

Thus, various manners of storing seed information (seed 1) and seedinformation (seed 2) and setting encrypted data areas are possible.However, in each manner, seed information (seed 2) is encrypted forstorage by the key generated by use of seed information (seed 1),namely, block key Kb1, so that the direct reading from the informationrecording medium is made impossible, thereby enhancing the robustnessagainst the analysis of seed information (seed 2), the analysis of blockkey Kb2 generated by use of seed information (seed 2), and the analysisof the encryption algorithm in which user data is encrypted by block keyKb2.

[Processing of Storing Data Into Information Recording Media]

As described before with reference to FIG. 2, each information recordingmedium in which encrypted content is stored is authored at the contentauthoring entity (AS: Authoring Studio) 330 and then replicated in lumpin the form of CD or DVD at information recording medium manufacturingentity (DM: Disc Manufacturer) 350 as the medium to be provided tousers. This medium is the information recording medium 100 herein.

The management on the above-mentioned disc manufacturer, sale, and useprocessing is executed by the trusted center (TC) 300. The trustedcenter 300 provides various kinds of management information to thecontent authoring entity (AS: Authoring Studio) 330 and the informationrecording medium manufacturing entity (DM: Disc Manufacturer) 350. Onthe basis of the management information supplied by the trusted center300, the content authoring entity (AS: Authoring Studio) 330 and theinformation recording medium manufacturing entity (DM: DiscManufacturer) 350 execute content authoring, encryption, and generationand storage of key information.

The following describes the details of the processing to be executed bythe trusted center 300, the content authoring entity 330, and theinformation recording medium manufacturing entity 350, with reference toFIGS. 17 and on.

FIG. 17 shows the processing to be executed by the trusted center 300,the content authoring entity 330, and the information recording mediummanufacturing entity 350.

The trusted center 300 holds content 501 given by a content owner and,in correspondence to the content or media to be stored in informationrecording media which are media to be manufactured, sets media key Km502, second title key Kt2 503, first title key Kt1 504, authoring studiocode (ASC) 505, disc manufacturer code (DMC) 506, disc-unique seed S507, the number of information recording media permitted to bemanufactured and bulk order disc count N 508.

In step S41, the trusted center 300 embeds authoring studio code (ASC)505 and disc manufacturer code (DMC) 506 into the content 501 suppliedby the content owner as electronic watermark.

In step S42, disc-unique key Kd 511 is generated on the basis ofdisc-unique seed S 507.

The trusted center 300 provides the content embedded with electronicwatermark, authoring studio code (ASC) 505, disc manufacturer code (DMC)506, and disc-unique key Kd 511 generated on the basis of disc-uniqueseed S 507 to the content authoring entity 330.

In step S43, the trusted center 300 generates EKB 512 as a cryptographickey block having a configuration in which media key Km 502 can beobtained only with the device key of the user device having a license asthe content reproduction right.

In step S44, second title keys Kt2 503 is encrypted on the basis ofmedia key Km 502 to generate encrypted second title key eKm(Kt2) 513. Instep S45, first title key Kt1 504 is encrypted on the basis of media keyKm 502 to generate encrypted first title key eKm(Kt1) 514.

In step S46, authoring studio code (ASC) 505 is encrypted by secondtitle key Kt2 503 to generate eKt2 (ASC) 515 which is encrypted ASC. Instep S47, disc manufacturer code (DMC) 506 is encrypted by second titlekey Kt2 503 to generate eKt2(DMC) 516 which is encrypted DMC.

Further, N (S, Sig), namely, N individual disc IDs 517 are generated onthe basis of the number of information recording media permitted to bemanufactured and bulk order disc count N 508, in correspondence with thedisc-unique seed S 507.

EKB 512, encrypted second title key eKm(Kt2) 513, encrypted first titlekey eKm(Kt1) 514, eKt2(ASC) 515 which is encrypted ASC, eKt2(DMC) 516which is encrypted DMC, N individual disc ID 517, and first title keyKt1 are provided from the trusted center 300 to the informationrecording medium manufacturing entity 350.

The following describes the processing to be executed by the contentauthoring entity 330. The content authoring entity 330 executes theencoding, MPEG encoding for example in a encoder 531, of the contentembedded with electronic watermark supplied from the trusted center 300,thereby generating transport stream data, and executes, in a PMT(Program Map Table) embedding block 532, the embedding of authoringstudio code (ASC) and disc manufacturer code (DMC) supplied from thetrusted center 300. PMT is the information that includes authoringstudio code (ASC) and disc manufacturer code (DMC), which are embeddedin the content at the content authoring entity 330.

The following describes the details of embedding the PMT that includesauthoring studio code (ASC) and disc manufacturer code (DMC), which isexecuted by the PMT (Program Map Table) embedding block 532, withreference to FIGS. 18 and on.

FIG. 18 shows a PMT configuration specified in ISO/IEC 13818-1: 1996(MPEG system) and the storage locations of authoring studio code (ASC)and disc manufacturer code (DMC) proposed hereby.

ISO/IEC 13818-1: 1996 (MPEG system) specifies the data configuration ofprogram map table (PMT) as shown in FIG. 18.

At the beginning, the storage position of 8-bit table ID is specified,followed by a 76-bit area for storing various control information andidentification information. Subsequently, a 12-bit program informationlength storage area providing the data length information of the programinformation area is set, followed by a program information area 540having a data length specified in the program information length.Subsequent to the program information area 540, elementary streaminformation is stored, for each data unit, as the control information inunits of video data and audio data constituting the content, lastlyfollowed by a 32-bit CRC (Cyclic Redundancy Code).

In the program information area 540, an area in which desired additionalinformation may be stored may be set, in which authoring studio code(ASC) and disc manufacturer code (DMC) are stored. It should be notedthat, as described before, authoring studio code (ASC) and discmanufacturer code (DMC) may be not only the code data set as authoringstudio identifier and disc manufacturer identifier respectively but alsothe codes set for each piece of content to be stored in the recordingmedium. Besides, these codes may also be set as those which include thedate information such as order date and manufacture date of each contentstored recording medium.

These authoring studio code (ASC) and disc manufacturer code (DMC) aresupplied from the trusted center 300 to the content authoring entity330. The content authoring entity 330 embeds the supplied codes into thecontent must pass the code-embedded content to each disc manufacturerentity after surely encrypting the content on the basis of block key Kb2generated by applying seed 2 in a encryption processing block 533 (referto FIG. 17).

Namely, authoring studio code (ASC) and disc manufacturer code (DMC) canbe known only by the trusted center 300 and the content authoring entity330, thereby preventing these codes from being leaked outside.

Therefore, authoring studio code (ASC) and disc manufacturer code (DMC)must be surely arranged in the area to be encrypted on the basis ofblock key Kb2. Basically, most data areas of source packets storingcontent and program map table (PMT) are those areas which are encryptedby block key Kb2 generated by seed 2. However, only the storage area ofseed 2 used for the information for generating block key Kb2 is outsidethe encrypted areas encrypted by block key Kb2. Therefore, control mustbe done such that the data area of authoring studio code (ASC) and discmanufacturer code (DMC) do not overlap the seed 2 area.

As shown in FIG. 19, seed 2 is set for each 1 AU (Aligned Unit) set asencryption processing unit, block key Kb2 as an encryption key isgenerated by use of seed 2 set for each processing unit, and each sourcepacket data composed by content and program map table is encrypted forstorage by the generated block key Kb2.

Therefore, when authoring studio code (ASC) and disc manufacturer code(DMC) are set to the area in which seed 2 at the start of 1 AU asencryption processing unit is located, these codes provides theinformation which is applied as seed 2. This consequently causes aproblem of passing these codes from the content authoring entity 330 toa disc manufacturer entity in the form of plaintext without encryptionby block key Kb2.

To prevent this problem from occurring, the PMT embedding block 532 ofthe content authoring entity 330 must execute PMT embedding processingin which the storage locations of authoring studio code (ASC) and discmanufacturer code (DMC) are controlled.

There are two methods in which the storage locations of authoring studiocode (ASC) and disc manufacturer code (DMC) are controlled.

In the first method, of the 32 packets included in 1 AU (Aligned Unit)which is encrytption processing unit, program map table (PMT) is notarranged in each packet that includes the seed 2 area.

Unlike conventionally practiced MPEG-TS duplexing, control of theinsertion position of PMT packet requires special duplexing processingin which the arrangement of PMT is prohibited for each head (the head ona 32-packet basis) of each encryption processing unit (AU: AlignedUnit). This PMT arrangement control can prevent authoring studio code(ASC) and disc manufacturer code (DMC) from being set to the seed 2area. In this case, ASC and DMC may be written to any location in PMT.

In the other method, the writing positions of authoring studio code(ASC) and disc manufacturer code (DMC) are controlled in program maptable (PMT), so that authoring studio code (ASC) and disc manufacturercode (DMC) will not overlap the seed 2 area if the PMT packet is locatedanywhere in content source packet.

The method will be described with reference to FIG. 20. FIG. 20(a) showsthe entire data of program map table PMT, which starts with 8-bit tableID, followed by 76-bit specified control information and identificationinformation, and 12-bit program information length. Thereafter, programinformation is stored. As described above, authoring studio code (ASC)and disc manufacturer code (DMC) as additional information are stored inthis program information area.

As shown in FIG. 20(b), program map table PMT is composed of the start183-byte data and a subsequent 184-byte data sequence, which are storedas a payload of TS packets. For the first packet, the payload ispreceded by 4-byte header information and 1-byte pointer information. Ineach subsequent packet, the payload is preceded by only 4-byte headerinformation, as shown in (c). As shown in (d), each TS packet provides asource packet (192 bytes long) attached with header information such astimestamp and CCI and is set to a content source packet sequence in ascattered manner.

At this moment, a part which is possibly set as seed 2 is an area withinthe start area of 128 bits (or a 16-byte part) of each source packet.Namely, an area within the start part of 128 bits (or 16-byte part) ofthe start source packet of the encryption processing unit (1 AU) shownin FIG. 19 is the area to be set as the seed 2 area. If a source packetstoring the divided data of program map table PMT is arranged as thisstart source packet of encryption processing unit (1 AU), the start128-bit part of this source packet is possibly set as seed 2. In thiscase, this data area is passed from the content authoring entity 330 toeach disc manufacturer entity in the form of plaintext.

As shown in FIG. 20(b), the start packet (No. 1) always stores 8-bittable ID specified as the start data of program map table PMT, 76-bitcontrol information and identification information, and 12-bit programinformation length. The packets No. 2 and following packets each storethe data subsequent to the halfway data of program information.

Each of the No. 2 and subsequent packets is attached at its head a totalof 8 bytes=96 bits of 4-byte TS packet header and 4-byte source packetheader. If this 8-byte data is immediately followed by authoring studiocode (ASC) and disc manufacturer code (DMC), a portion which overlapsthe seed 2 area of the start 128 bits (or 16 bytes) of source packetoccurs, which is passed from the content authoring entity 330 to eachdisc manufacturer entity in the form of plaintext.

However, since the start packet (No. 1) always stores 8-bit table IDspecified as the start data of program map table PMT, 76-bit controlinformation and identification information, and 12-bit programinformation length, a total of 21 bytes (=168 bits) of 4 bytes of sourcepacket header, 4 bytes of TS packet header, 1 byte of pointer, and 12bytes (96 bits) of start data of program map table PMT) are set as shownin FIG. 20(e).

These 21 bytes (=168 bits) are longer than the maximum bit length 16bytes (128 bits) of seed 2. Therefore, the program information areastored in the payload of the start packet (No. 1) will not overlap theseed 2 setting area.

Consequently, storing authoring studio code (ASC) and disc manufacturercode (DMC) into the data area (within 183 bytes from the start of PMT)stored in the start packet in the program information area in programmap table PMT puts these codes into a area that is always encrypted byblock key Kb2.

To be more specific, as shown in FIG. 20(d), if the source packetstoring the start data of program map table PMT is set as the startsource packet of 1 AU which is encryption processing unit and the seed 2area 541 is set, the 16-byte (or 128-bit) area which is set as the startseed 2 information area of that source packet falls within the total21-byte (=168 bits.) area of source packet header (4 bytes), TS packetheader (4 bytes), pointer (1 byte), start data 12 bytes of program maptable PMT, so that the program information area included in the startpacket is set as an encrypted area 542 encrypted by block key Kb2. Bysetting authoring studio code (ASC) and disc manufacturer code (DMC) tothis encrypted area, these codes are always encrypted by block key Kb2.

The above-mentioned setting requires to control the storage locations ofauthoring studio code (ASC) and disc manufacturer code (DMC) in programmap table PMT. Namely, the following two conditions must be satisfied:

(1) both authoring studio code (ASC) and disc manufacturer code (DMC)must always be included in the start packet; and

(2) these codes should not be included in the seed 2 area (within 128bits) of the start part of the start packet.

To be more specific, in the present embodiment, the satisfaction ofcondition (1) requires to record authoring studio code (ASC) and discmanufacturer code (DMC) within 183 bytes from the beginning of programmap table PMT because the payload portion of the start TS packet is 183bytes long.

The satisfaction of condition (2) requires to prevent the storagelocations of authoring studio code (ASC) and disc manufacturer code(DMC) from being set within the first 128 bits of each source packet.However, as shown in FIG. 20, condition is satisfied because there exista total of 21 bytes, namely, 4 bytes of source packet header, TS packetheader and point of 4+1=5 bytes, and text header of 12 bytes of thestart of PMT in the PMT configuration specified in ISO/IEC 13818-1: 1996(MPEG system), this area is greater than seed 2 area k of 16 bytes, andauthoring studio code (ASC) and disc manufacturer code (DMC) arerecorded in the subsequent program information area.

Consequently, executing the control of storage location of each codewithin PMT in which the codes are stored in the program information areaof program map table PMT and the data area within 183 bytes from thebeginning of program map table PMT prevents the storage of these codesfrom matching the seed 2 area, thereby preventing these codes from beingpassed from the content authoring entity 330 to each disc manufacturerentity in the form of plaintext.

Namely, as shown in FIG. 21, the 183 bytes from the beginning of programmap table PMT of (a) provide the information area which is stored as thepayload of the start TS packet and the storage locations of authoringstudio code (ASC) and disc manufacturer code (DMC) are set inside theprogram information area included in this information area.

As a result, as shown in (b) and (c), the program information area inwhich authoring studio code (ASC) and disc manufacturer code (DMC) arestored becomes an area that is encrypted by block key Kb2, therebyallowing these codes to be encrypted without failure, the encryptedcodes being passed from the content authoring entity 330 to each discmanufacture entity.

The processing operations that the content authoring entity 330 executesin the PMT (Program Map Table) embedding block 532 shown in FIG. 17 aresummarized as follows:

(1) controlling the write positions of authoring studio code (ASC) anddisc manufacturer code (DMC), which are entity codes set incorrespondence with the entities of the manufacturing route ofinformation recording media to set these codes into program map table(PMT), which is a control information table;

(2) generating PMT stored packets in which two or more packets storingthe control information table are stored in a divided manner; and

(3) arranging the PMT stored packets into a content stored packetsequence in a distributed manner.

In the above-mentioned entity code setting processing (1), theprocessing in which authoring studio code (ASC) and disc manufacturercode (DMC) are controlled such that these codes are included, withoutoverlapping the seed 2 setting area, into the encrypted area that isencrypted by the key (block key Kb2) generated on the basis of seed 2.

It should be noted that, in the present embodiment, authoring studiocode (ASC) and disc manufacturer code (DMC) are used for theidentification codes; however, as described before, a configuration isalso practicable in which identification information (codes) areassigned to various entities, managed by the trusted center, existing inthe manufacturing and distributing processes of content recorded mediafor example. If an identification code is assigned to each of theseentities, each code is stored in an area that is encrypted withoutfailure by block key Kb2, as described before.

The content authoring entity 330 executes the above-mentioned processingoperations through the PMT (Program Map Table) embedding block 532 shownin FIG. 17 to embed PMT including authoring studio code (ASC) and discmanufacturer code (DMC) and then executes the encryption processingthrough the encryption processing block 533 shown in FIG. 17. Thefollowing describes the details of the processing to be executed by theencryption processing block 533 of the content authoring entity 330,with reference to FIG. 22.

In step S51, the content authoring entity 330 generates a record seed(REC SEED) on the basis of random numbers. The record seed (REC SEED) isdata to be passed to an information recording medium manufacturingentity as output data. In step S52, record key K2 is generated by use ofdisc-unique key Kd supplied from the trusted center 300 and by executingthe encryption processing applied with the record seed (REC SEED). Instep S53, block key Kb2 is generated (in step S54) on the basis of theseed information (seed 2) extracted from the content and record key K2.In step S55, the data area including the content and program map tableis encrypted by use of block key Kb2. In selector step S53, seed 2 isselected and the data part on which the encryption processing of stepS55 is executed is separated from the data part on which the encryptionprocessing of step S55 is not executed. In step S56, the encrypted dataand the non-encrypted data are linked again to be passed to theinformation recording medium manufacturing entity along with the recordseed (REC SEED) as disc image data.

In the data outputted from the content authoring entity 330, the seedinformation (seed 2) is set as plaintext data and the other informationis encrypted by block key Kb2 generated by applying seed 2 as shown inFIG. 22 (b). This encrypted data contains PMT (Program Map Table)including authoring studio code (ASC) and disc manufacturer code (DMC).

The following describes the processing to be executed by the informationrecording medium manufacturing entity 350 with reference to FIG. 17again. The information recording medium manufacturing entity 350executes encryption processing through a encryption processing block 551on the content supplied from the information recording mediummanufacturing entity 350.

The following describes the details of the encryption processing to beexecuted by the encryption processing block 551 of the informationrecording medium manufacturing entity 350, with reference to FIG. 23.

In step S62, the information recording medium manufacturing entity 350generates a physical index on the basis of random number. In step S62,this entity generates record key K1 by the encryption processing appliedwith first title key Kt1 supplied from the trusted center 300 and thephysical index generated above. In step S63, this entity generates blockkey Kb1 (step S64) on the basis of the seed information (seed 1)selected from the content and record key K1. In step S65, this entityexecutes the processing of encrypting the data area that includes theseed information (seed 2) in the content on the basis of block key Kb1.In selector step S63, seed 1 is selected and the data part on which theencryption processing in step S65 is executed is separated from the datapart on which the encryption processing in step S65 is not executed. Instep S66, the encrypted data and non-encrypted data are linked again toprovide output data.

In the data to be outputted from the encryption processing block 551 ofthe information recording medium manufacturing entity 350, the seedinformation (seed 1) is set in the control data (UCD: User Control Data)as plaintext data as shown in FIG. 23(b) and the data area includingseed 2 is encrypted by block key Kb1 generated by applying seed 1.

Referring to FIG. 17 again, the description of the processing to beexecuted by the information recording medium manufacturing entity 350will be continued. The output data of the encryption processing block551 of the information recording medium manufacturing entity 350 isinputted in a format processing block 552 to execute the processing ofwriting EKB 512 supplied from the trusted center 300, encrypted secondtitle key eKm(Kt2) 513, encrypted first title key eKm(Kt1) 514,eKt2(ASC) 515 which is encrypted ASC, and eKt2(DMC) 516 which isencrypted DMC to the lead-in area (refer to FIG. 1) of the disc. In thiswrite processing, the physical index generated in step S61 shown in FIG.23(a) is also recorded to the disc.

Further, the information recording medium (or the disc) containing theabove-mentioned items of information is replicated by a replicator 553.The amount of replications is equivalent to bulk order count N set bythe trusted center 300. The different disc IDs supplied by the trustedcenter 300 are stored in different discs.

When all of these items of information have been stored, the informationrecording medium 100 is distributed on the market. The content recordedon the purchased information recording medium 100 is reproduced on theinformation processing device of the user on the basis of theabove-mentioned decryption processing and reproduction controlprocessing. The information recording medium 100 stores the variousitems of information described with reference to FIG. 1 and isreproduced on the information processing device of the user on the basisof the decryption and control processing described with reference toFIGS. 9 through 15.

[Processing Configuration Without Using Disc ID]

In the above-mentioned embodiment, different disc IDs are set todifferent information recording media, the user device gets the disc IDfrom each information recording medium, verification is performed on thedisc ID, disc-unique key Kd is generated by applying disc-unique seed S,which is a component of the disc ID (steps S15 shown in FIG. 10), andthe content is decrypted by applying the generated disc-unique key Kd.

However, the processing of recording different IDs to differentinformation recording media takes much time, so that it is sometimesdesired to omit this processing. The following describes an example ofthe processing that does not use different disc IDs for differentinformation recording media.

FIG. 24 shows an example of the processing that does not use the discIDs that are used by the trusted center 300, the content authoringentity 330, and information recording medium manufacturing entity 350 inthe foregoing embodiment.

Referring to FIG. 24, an area 600 enclosed by dashed lines is differentfrom the configuration in which disc IDs are used, described before withreference to FIG. 17. It should be noted that the processing andconfiguration associated with the disc IDs described with reference toFIG. 17 are not shown in FIG. 24.

A trusted center 300 holds a content 501 supplied by its owner, setsmedia key Km 502, second title key Kt2 503, first title key Kt1 504,authoring studio code (ASC) 505, disc manufacturer code (DMC) 506 to thecontent to be stored in each information recording medium to bemanufactured or to the medium itself, and sets third title key Kt3 601to content to be stored in each information recording medium to bemanufactured or to the medium itself.

In this another embodiment, the disc-unique seed S 507 and the number ofinformation recording media permitted for manufacture, namely, bulkorder disc count N 508, are omitted from the configuration.

In step S41, the trusted center 300 embeds authoring studio code (ASC)505 and disc manufacturer code (DMC) 506 into the content 501 suppliedby its owner, as electronic watermark.

The trusted center 300 provides the content embedded with the electronicwatermark, authoring studio code (ASC) 505, disc manufacturer code (DMC)506, and disc-unique key Kd 511 to the content authoring entity 330.

In step S43, the trusted center 300 generates EKB 512, which is acryptographic key block configured to be obtainable only in the devicekey of the user device having media key Km 502 as a license, which isthe right of content reproduction.

In step S44, the trusted center 300 encrypts second title key Kt2 503 onthe basis of media key Km 502 to generate encrypted second title keyeKm(Kt2) 513. In step S45, the trusted center 300 encrypts first titlekey Kt1 504 on the basis of media key Km 502 to generate encrypted firsttitle key eKm(Kt1) 514.

Further, in step S46, the trusted center 300 encrypts authoring studiocode (ASC) 505 by second title key Kt2 503 to generate eKt2(ASC) 515,which is encrypted ASC. In step S47, the trusted center 300 encryptsdisc manufacturer code (DMC) 506 by second title key Kt2 503 to generateeKt2(DMC) 561, which is encrypted DMC.

In step S71, the trusted center 300 encrypts third title key Kt3 601 onthe basis of media key Km 502 to generate encrypted third title keyeKm(Kt3) 602.

EKB 512, encrypted second title key eKm(Kt2) 513, encrypted first titlekey eKm(Kt1) 514, eKt2(ASC) 515, eKt2(DMC) 516, and encrypted thirdtitle key eKm(Kt3) 602 are provided from the trusted center 300 to theinformation recording medium manufacturing entity 350.

The processing by the content authoring entity 330 and the processing bythe information recording medium manufacturing entity 350 are basicallythe same as described before with reference to FIGS. 17 through 23.However, a format processing block 552 of the information recordingmedium manufacturing entity 350 executes the processing of writing tothe lead-in area of each information recording medium and a replicator553 of the information recording medium manufacturing entity 350 doesnot execute the processing of writing of the disc ID for each disc.

An information recording medium 100 manufactured as a result of theabove-mentioned processing stores the data as shown in FIG. 25.

As shown in FIG. 25, stores a physical index 102, encrypted content 103,a record seed (REC SEED) 104, and cryptographic key information 120. Thecryptographic key information 120 is stored in the lead-in area 110 thatis different from the content storage area of the information recordingmedium 100 and can be read by a special program.

The cryptographic key information 120 includes encrypted third title keyeKm(Kt3). The differences from the configuration shown in FIG. 1 arethat no disc ID is stored and encrypted third title key eKm(Kt3) 611 isadded to the cryptographic key information 120.

The following describes the content decryption processing to be executedby a encryption processing means of an information processing device (orthe user device) that reproduces the above-mentioned informationrecording medium, with reference to FIG. 26.

The processing shown in FIG. 26 defers from the processing ofreproducing the information recording medium having a disc ID describedbefore with reference to FIG. 10 in that the information recordingmedium 100 has encrypted third title key eKm(Kt3) 611 and there are theprocessing of generating disc-unique key Kd of step S82 and theprocessing of decrypting encrypted third title key eKm(Kt3) 611 of stepS81.

In the present embodiment, disc-unique seed S (refer to step S14 shownin FIG. 10) obtained from the disc ID is not applied to the processingof generating disc-unique key Kd.

In the present embodiment, in step S81, encrypted third title keyeKm(Kt3) 611 is decrypted by use of media key Km to get third title keyKt3. In step S82, encryption processing is executed by use of obtainedthird title key Kt3 and second title key Kt2 obtained by the decryptionprocessing of step S12, thereby generating disc-unique key Kd.

The subsequent processing is the same as the processing described beforewith reference to FIG. 10. In the present embodiment, of whichconfiguration uses no disc ID, the processing of recording different IDsto different information recording media is not required, therebymitigating the processing load of each information recording mediummanufacturing entity in the bulk production of discs, for example.

In the present embodiment, the content stored in an informationrecording medium is also encrypted by block keys Kb1 and Kb2 generatedby seed information (seed 1) and seed information (seed 2), and seedinformation (seed 2) is encrypted by the key generated by use of seedinformation (seed 1), namely, block key Kb1, before being stored, sothat their direct reading from the information recording medium isimpossible, thereby enhancing the robustness against the analysis ofseed information (seed 2), the analysis of block key Kb2 generated byuse of seed information (seed 2), and the analysis of the encryptionalgorithm in which user data is encrypted by block key Kb2.

Further, authoring studio code (ASC) and disc manufacturer code (DMC)are set to the area that is encrypted without failure by block key Kb2generated by applying seed information (seed 2), these codes are thenencrypted at the content authoring entity 330, and the encrypted codesare passed to the information recording medium manufacturing entity 350,thereby preventing the code information from being leaked outside.

In addition, the reproduction processing is executed only when thedetection and matching of authoring studio code (ASC) and discmanufacturer code (DMC) are successfully made, so that any attempt toreproduce any content that has no authorized code or no electronicwatermark is defeated, thereby allowing the reproduction of only thecontent stored recording media manufactured on the basis of authorizedmanufacturing routes. In case the manufacturing and distributing ofunauthorized replications should happen, this configuration also allowsthe easy tracing of information leakage routes by the detection ofauthoring studio code (ASC) and disc manufacturer code (DMC).

[Exemplary Configuration of Information Processing Device and OtherEntities]

The following describes, with reference to FIG. 27, exemplaryconfiguration of the information processing device as a user device, thetrusted center, the content authoring entity, the information recordingmedium manufacturing entity, and the information processing deviceapplied for each entity to execute encryption and data generationprocessing described in the above-mentioned embodiments of theinvention. For the information processing device as a user device, thetrusted center, the content authoring entity, the information recordingmedium manufacturing entity, and the information processing deviceapplied for each entity to execute encryption processing and datageneration processing described in the above-mentioned embodiments ofthe invention, general-purpose information processing devices, such asPCs and information processing servers are available. The followingdescribes, with reference to FIG. 27, an exemplary configuration of aninformation processing device for each of the above-mentioned entitiesto execute encryption processing and data generation processing.

A CPU (Central Processing Unit) 701 executes various processingoperations as directed by various programs stored in a ROM (Read OnlyMemory) 702 or programs stored in a storage block 708 and loaded into aRAM (Random Access Memory) 703. A timer 700 executes clocking andsupplies clock information to the CPU 701.

The ROM (Read Only Memory) 702 stores parameters for computation andfixed data for use by programs. The RAM (Random Access Memory) 703stores programs for use in the execution of the CPU 701 and parametersthat change from time to time in the execution of the CPU 701. Thesecomponents are interconnected by a bus 711.

A encryption processing block 704 executes various kinds of encryptionprocessing described above, the encryption processing applying the AESencryption algorithm for example. A WM processing block 713 executes theprocessing based on information hiding technologies, such as embeddingdata into video signal as invisible information by use of the spreadspectrum technology or embedding data into audio signal asunrecognizable information, for example.

An input/output interface 712 is connected with an input block 706 basedon keyboard and mouse for example, an output block 707 based on displaylike CRT or LCD and speaker, the storage block 708 based on hard discdrive, and a communication block 709. The communication block 709communicates with the above-mentioned entities for example by datatransmission/reception over a communication network such as theInternet.

While preferred embodiments of the present invention have been describedusing specific terms, such description is for illustrative purpose only,and it is to be understood that changes and variations may be madewithout departing from the spirit or scope of the following claims.

The above-mentioned sequence of processing operations may be executed bysoftware or hardware or a combination of both. When the above-mentionedsequence of processing operations is executed by software, the programsconstituting the software are installed in a memory of a computer whichis built in dedicated hardware equipment, or installed into ageneral-purpose computer for example in which various programs may beinstalled for the execution of various functions.

For example, programs may be stored in the hard disc drive or the ROM(Read Only Memory) functioning as recording media in advance.Alternatively, programs can be stored (or recorded) temporarily orpermanently in removable recording media, such as flexible disc, CD-ROM(Compact Disc Read Only Memory), MO (Magneto-Optical) disc, DVD (DigitalVersatile Disc), magnetic disc, and semiconductor memory. Theseremovable recording media can be provided in the form of so-calledpackage software.

It should be noted that, instead of installing from any of theabove-mentioned removable recording media into the computer, programscan be downloaded from download sites onto the computer in a wirelessmanner or via a network such as LAN (Local Area Network) or the Internetin a wired manner. Receiving the programs supplied in any of theabove-mentioned methods, the computer can install the received programsinto its incorporated recording media such as the hard disc drive forexample.

It should also be noted that the above-mentioned various processingoperations herein can be executed not only in a time-dependent manner inaccordance with their description but also in a parallel manner or anindividual manner in accordance with the performance of the device thatexecutes these processing operations. Term “system” as used hereindenotes a logical aggregation of plural devices and is not restricted toa configuration in which all its components are accommodated in a singlehousing.

INDUSTRIAL APPLICABILITY

As described and according to the invention, the entity codes such asauthoring studio code (ASC) and the disc manufacturer code (DMC) can beencrypted without failure and stored in information recording media toprevent these entity codes from being leaked outside. Therefore, thenovel configuration can prevent the manufacturing of the recording mediain which stored an illegally obtained copy of content made by use ofthese entity codes that are illegally obtained by masquerading entities.To be more specific, the data setting locations in program map table(PMT) is controlled such that these entity codes will not overlap theseed area that provides key generating information, so that, if thepacket storing the program map table storing authoring studio code (ASC)and disc manufacturer code (DMC) is set to an arbitrary position in acontent packet sequence, these entity codes will not overlap the seedarea that is non-encrypted data, thereby preventing these entity codesfrom being leaked outside.

Further, in the novel configuration, authoring studio code (ASC) anddisc manufacturer code (DMC) are stored in each information recordingmedium along with encrypted content and the encrypted content can bereproduced only when the detection and matching of these entity codesare successfully executed, so that any attempt to reproduce contentstored in any recording medium having the illegally obtained codes orany information recording medium that stores none of these entity codesis defeated, thereby allowing the reproduction of only the contentstored in the recording media that have been manufactured on the basisof authorized manufacturing routes. In case the manufacturing anddistributing of unauthorized replications should happen, thisconfiguration also allows the easy tracing of information leakage routesby the detection of authoring studio code (ASC) and disc manufacturercode (DMC).

In addition, in the novel configuration, the code information of eachentity is stored in each information recording medium, so that only thecontent authoring entity and information recording medium manufacturingentity that are managed by the trusted center are allowed to authorcontent and manufacture the information recording media storing theauthored content, thereby making it practicable, in case of the illegalreplication of the information recording media, to trace informationleakage routes on the basis of the detection of these entity codes.

1. An information recording medium storing encrypted content, having aconfiguration in which content and an entity code set for each entity ina manufacturing route of said information recording medium, and dataincluded in a certain encryption processing unit is encrypted by a keygenerated on the basis of a seed providing encryption processing keygenerating information set for each said encryption processing unit andsaid entity code is stored in an encrypted area which is encrypted bysaid key generated on the basis of said seed, said encrypted area notoverlapping an area to which said seed is set.
 2. The informationrecording medium according to claim 1, wherein said encryptionprocessing unit is set as a collective data area of a plurality ofpackets and said seed is set as data having the predetermined number ofbits from start data of a start packet of said encryption processingunit and said entity code is stored as a payload of each of saidplurality of packets and stored in a data area not overlapping an areaof bits constituting said seed.
 3. The information recording mediumaccording to claim 1, wherein said entity code is stored in a programmap table (PMT) specified by the MPEG standard and said entity codeprovides data constituting a start packet of a plurality of dividedpackets storing said program map table (PMT) in a program informationarea of said program map table (PMT).
 4. The information recordingmedium according to claim 3, wherein said start packet of said pluralityof divided packets is a transport stream packet having a payload of 183bytes and said entity code is stored as data within 183 bytes from startdata of said program map table (PMT) in said program information area ofsaid program map table (PMT).
 5. The information recording mediumaccording to claim 1, wherein said entity code is stored in a programmap table (PMT) specified by the MPEG standard, said program map table(PMT) is stored as a payload of each of a plurality of transport streampackets in a divided manner, and each of said plurality of transportstream packet is attached with timestamp information to be stored insaid information recording medium as a source packet in a distributedmanner.
 6. The information recording medium according to claim 1,wherein said information recording medium includes a first seed, whichis key generating information set for each said encryption processingunit, an encrypted second seed, which is key generating informationencrypted on the basis of a first block key Kb1 generated by said firstseed, and encrypted content and an encrypted entity code encrypted onthe basis of a second block key Kb2 generated on the basis of saidsecond seed.
 7. The information recording medium according to claim 1,wherein said entity code includes an authoring studio code (ASC) and adisc manufacturer code (DMC).
 8. A data processing method for generatingdata to be written to an information recording medium, comprising: anentity code setting step in which a position at which an entity code setfor an entity in a manufacturing route of said information recordingmedium is set is controlled to set said entity code in a controlinformation table; a table information stored packet generating step inwhich a plurality of packets in which said control information table isstored in a divided manner are generated; a step in which said pluralityof table information stored packets are arranged in a content storedpacket sequence in a distributed manner; and a step in which dataincluded in a certain encryption processing unit is encrypted by use ofa key generated on the basis of a seed which is encryption processingkey generating information set for each said encryption processing unit;wherein said entity code setting step includes a step in which controlis executed such that said entity code is included in an encrypted areaencrypted by a key generated on the basis of said seed withoutoverlapping an area to which said seed is set.
 9. The data processingmethod according to claim 8, wherein said encryption processing unit isa collective data area of a plurality of packets, said seed is datahaving the predetermined number of bits from start data of a startpacket of said encryption processing unit, and said entity code settingstep includes a step in which said entity code is set to a data areawhich does not overlap an area of bits constituting said seed.
 10. Thedata processing method according to claim 8, wherein, in said entitycode setting step, said entity code is set in a program information areaof said program map table (PMT) specified by the MPEG standard and to aposition of data constituting a start packet of a plurality of dividedpackets storing said program map table (PMT).
 11. The informationprocessing method according to claim 10, wherein said start packet ofsaid plurality of divided packets is a transport stream packet having apayload of 183 bytes and, in said entity code setting step, said entitycode is set as data said program information area of said program maptable (PMT) and within 183 bytes from start data of said program maptable (PMT).
 12. A computer program for executing the processing ofgenerating data to be written to an information recording medium,comprising: an entity code setting step in which a position at which anentity code set for an entity in a manufacturing route of saidinformation recording medium is set is controlled to set said entitycode in a control information table; a table information stored packetgenerating step in which a plurality of packets in which said controlinformation table is stored in a divided manner are generated; a step inwhich said plurality of table information stored packets are arranged ina content stored packet sequence in a distributed manner; and a step inwhich data included in a certain encryption processing unit is encryptedby use of a key generated on the basis of a seed which is encryptionprocessing key generating information set for each said encryptionprocessing unit; wherein said entity code setting step includes a stepin which control is executed such that said entity code is included inan encrypted area encrypted by a key generated on the basis of said seedwithout overlapping an area to which said seed is set.